Personal information for roughly 80 million individuals was compromised after hackers broke into a database for Anthem Inc., the nation's second-largest health insurance company.
Information including names, birthdays, addresses, email addresses, employment information and Social Security/member identification numbers was compromised, according to the insurer. However, Anthem says its investigation to date shows that no diagnosis or treatment data for customers has been exposed. The origin of the attack currently is unknown and according to Anthem, all those impacted will receive notification via mail advising them of offered protections and next steps.
The hack involved both current and former customers, as well as current Anthem employees, according to Anthem President and CEO Joseph Swedish--who says that even his own information was breached. Impacted plans and brands include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink and DeCare.
"Anthem was the target of a very sophisticated external cyberattack," Swedish says in a memo to customers on the insurer's website. "These attackers gained unauthorized access to Anthem's IT system and have obtained personal information from our current and former members."
Previously, the biggest health data breach stemming from hacker activity was last year's breach of Franklin, Tennessee-based Community Health Systems, which operates 206 hospitals in 29 states. Personal information for roughly 4.5 million patients was compromised in that attack, in which hackers used the computer bug Heartbleed to gain access to the data.
Various indicators of compromise were not found by other organizations across the industry, meaning this attack was targeted specifically at Anthem, according to a Health Information Trust Alliance (HITRUST) alert emailed to FierceHealthIT. Anthem has been working with HITRUST's Cyber Threat Intelligence and Incident Coordination Center (C3), sharing hack-related information with the organization.
Late last month, President Barack Obama touted cybersecurity as one of his top priorities in his State of the Union address. While the president's cybersecurity plan is not specific to the health industry, it has won the endorsement of HITRUST. It calls for increased sharing of information on cyberthreats from the private sector with protection from liability. The White House wants the private sector to share its cyberthreat information with the Department of Homeland Security's National Cybersecurity and Communications Integration Center, which would pass that information along to other federal agencies and private-sector operated Information Sharing and Analysis Organizations.
The plan also calls for a single notification requirement that would standardize the "existing patchwork" of state laws currently in place.